# How to Calculate Security Risk

## Measuring Risk

The definition of Risk is:  risk = likelihood x impact. This formula is not abstract and makes sense. So follow along with me as we calculate risk.

## Intuitive Risk Formula

impact x probability = risk

Let’s run through some scenarios. Remember each scenario is going to have a different risk rating.

## What is the Probability?

1. What is the risk that my business information will be compromised (lost, stolen or unintentionally destroyed)?

Now let’s assign values based on high being 10 and low being zero.

Now the likelihood is based on your current environment. Do you have a loose or very tightly organized workflow, what type of controls or mitigating factors are in place to prevent bad things from happening and so on.  Or, is it somewhere in the middle or perhaps somewhere between? I am going to rate this as a likelihood factor of 7 (As an example).

Probability

None……………………………….…………………….X……………………….Definitely

1          2          3          4          5          6          7          8          9          10

## Now let’s look at Impact.

2.  What are the consequences to losing data? Questions like:

Is my business highly regulated or not regulated?

Are we handling other people’s information?

Can this impact our business from a legal perspective?

Can we lose money?

And so on…

So let’s use this chart. The impact would be low if you don’t have any data that contains sensitive information and there are no consequences if your information was lost, stolen or destroyed. But, what if you had some confidential information that could pose consequences?

Consequences

None………………………………………..….…..X………..………………..Tremendous

1          2          3          4          5          6          7          8          9       10

There would be some consequences to our business so my rating would be approximately 6.5.

## Calculate Risk

Now we need to correlate these numbers to develop our risk score. Let’s plug in the numbers. First we defined our probability as a 7 and our impact was 6.5, so we multiply those together and that will determine our risk score.

impact x probability = risk

7 x 6.5 = 45.5

We multiple numbers together and calculate a risk score of 45.5 and putting on the scale gives us a risk rating of Medium Low to Medium. We use one hundred point scale because our highest number would be Impact of 10 out of 10 and a Probability of 10 out of 10. (Which is of course 100 and inversely the lease impact would be zero and the probability would be zero, which multiplied together equals zero.)

Risk

Low………………………..……..…X…………………………………………..…..…High

10       20         30         40         50         60         70         80         90         100

0